Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2008-0960

Published: 10 June 2008

SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.

Notes

AuthorNote
jdstrand
expoit tool: http://www.securityfocus.com/archive/1/493304/30/0/threaded
nxvl
Upstream patch: http://sourceforge.net/tracker/download.php?group_id=12694&atid=456380&file_id=280776&aid=1989089

Priority

Medium

Status

Package Release Status
net-snmp
Launchpad, Ubuntu, Debian
dapper
Released (5.2.1.2-4ubuntu2.3)
feisty Ignored
(end of life, was needed)
gutsy
Released (5.3.1-6ubuntu2.2)
hardy
Released (5.4.1~dfsg-4ubuntu4.2)
intrepid
Released (5.4.1~dfsg-7.1ubuntu6.1)
jaunty Not vulnerable

karmic Not vulnerable

upstream
Released (5.4.1~dfsg-8.1)
Patches:
vendor: https://rhn.redhat.com/errata/RHSA-2008-0529.html
vendor: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=485945

ucd-snmp
Launchpad, Ubuntu, Debian
dapper Ignored
(end of life)
feisty Does not exist

gutsy Does not exist

hardy Does not exist

intrepid Does not exist

jaunty Does not exist

karmic Does not exist

upstream Needs triage

Patches:


vendor: https://rhn.redhat.com/errata/RHSA-2008-0528.html